Victims of Bank frauds in India such as Phishing and Credit Card frauds now have an opportunity to send their views on what they expect from Reserve Bank of India.

As readers of these columns are aware, a working group of RBI called “G Gopala Krishna Working Group on Information security, Electronic Banking, Technology Risk Management and Cyber Frauds” ( let us call this GGWG) had recently released its report. This had been commented upon by the undersigned in a couple of articles which are also available at Naavi.org

One of the objections that we had raised was that the committee had no representation of the Bank customers though the recommendations had long term implications on the Bank customers. On the other hand Commercial Banks were represented by ICICI Bank and SBI.

In most of the Banking frauds in the electronic banking era, there is a dispute as to whether there is any negligence on the part of the Bank and whether there was any contributory factors of information security failue that caused losses to the customers. In cases such as Phishing and encashment of stolen credit cards, though the issue was one of “Forgery”, Banks were trying to push the liability on the Customers though there was more negligence on their part than on the part of the customer.

The current guidelines on Internet banking issued by RBI on June 14, 2001 was based on a working group called S R Mittal Working group which had examined the issue in detail and given certain recommendations which RBI had accepted.

One of the major recommendations in the guidelines was that Banks must use the legally valid digital signature as the form of authentication of electronic documents  and if they use any other system of authentication, they should assume the “legal risk”. There was also a suggestion that Banks need to obtain insurance against such risks.

Despite this clear instructions, Banks were bullying the customers to pick up the liabilities on account of Phishing. ICICI Bank is one of the major culprits in this regard . This negligence is compounded by factors such as opening of accounts for fraudsters in the Bank without proper KYC. In Mumbai and Delhi there are a number of fraudsters who have opened accounts with ICICI Bank and some other Banks such as Punjab National Bank, HDFC Bank, SBI etc and used them to siphon off money from innocent persons around India.

These factors came to the fore when two judgements in March April 2010 held that Banks should pick up the liability for Phishing. One was a Consumer Corut decision in Mumbai against HDFC Bank and the other was the TN Adjudicator’s decision in the much publicised Umashankar Vs ICICI Bank case.

There were several reasons why the TN adjudicator felt ICICI Bank was liable in the case. One of the key reasons was that the Bank was not using the legally acceptable form of authentication int he form of digital signatures and used passwords which could be easily stolen and forged.

Some Banks may be trying to persuade RBI to adopt measures which though are against the law would protect the Bankers from liabilities for Cyber Frauds irrespective of their negligence.

RBI however has been able to resist the pressure and the Internet Baking guidelines of June 14, 2001 reflected the strong view in RBI that customer’s interest are paramount.

We hope that this basic thinking still prevails in RBI.

However 2011 is not 2001. Banks  today are well aware of the adverse commercial implications if they have to obtain insurance on Phishing frauds. In fact many Banks are sitting on a host of Phishing frauds and even if they cover themselves for the year 2011-2012, they need to make substantial provisions for Phishing liabilities for the year 20010-2011. If they donot make proper provisions, they will fail on the Basel II compliance front as well as Clause 49 (Listing Norms) compliance.

It is the duty of every Bank customer to therefore understand that RBI may come in for pressure from versted interests to adopt certain recommendations which are against the interests of Bank customers and do everything in their control to ensure that sufficient counter pressure is brought on the RBI not to yield to the pressure from vested interests.

Now RBI has requested public to send their comments on the GGWG to them before February 14 before they formulate the operational instructions regarding the implementation of the recommendations.

The group took more than 10 months to formulate its recommendations that run in to about 277 pages. Public now have about 10 days in which they have to analyse the impact of the report and submit their views.

The recommendations cover Information security issues which experts can handle. It also has issues such as Cyber Frauds, Legal Issues of Cyber Frauds and Customer Education related issues on which public need to respond.

At Naavi.org some quick points of interest are posted. A Copy of the report is also available.

Organizations which are interested in Bank customers including Forum of Free Enterprise or other NGOs, as well as ISACA and other professional bodies need to quickly organize internal meetings to develop their recommendations and submit to RBI.

I call upon all persons who have a stake in “Safe Banking” in India to immediately initiate actions to obtain public opinion gathered in this respect and make recommendations to RBI in time so that they would get the vies of the public.

As an ex-banker and a person actively engaged in supporting victims of Cyber crimes including Phishing victims I have observed that the situation in some of the banks is so bad that customers must find that keeping large balances in their accounts where Interent banking is enabled is a huge risks. Since most Banks today provide Internet access as part of the package, every Bank customer is at a risk to the extent that they need to move their Bank balances to smaller Banks which are not too far ahead in technology for the fraudsters to exploit. The coming days when Mobile Banking is being introduced are even harsher.

If we want technological innovations in Banking it should be not at the cost of safety of funds. If we value safety in banking, this is the time to act. Send your comments to RBI and urge RBI to put the interest of customers in the forefront.

A sample copy of a letter which a phishing victim can send is availabe at www.naavi.org.  Public can use the template and make alterations as they may feel required. The address to which it has to be sent is also available in the template (http://www.naavi.org/cl_editorial_11/ggwg_letter_victims.doc). Copy of the report is available at : http://www.naavi.org/cl_editorial_11/full_report_working_group_electronic_banking_jan2011.pdf

Some articles are also available on www.naavi.org for public to go through for immediate information.

Naavi of Naavi.org

Be Sociable, Share!